kubeflow-manifests icon indicating copy to clipboard operation
kubeflow-manifests copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Add PR build stack components

Open rrrkharse opened this issue 2 years ago • 2 comments

Which issue is resolved by this Pull Request: This PR addresses 2 issues:

  • Enforces PR testing before merging
  • Allows both PR submitters and approvers to view the status of PR testing

Description of your changes:

The PR build process will work as follows:

  1. A user comments /test
  2. A Github action is triggered and formats the PR details into a request payload
  3. The request is made to an API Gateway https endpoint
  4. The API Gateway forwards the event payload a Lambda
  5. Lambda makes a request to Codebuild to start a build for the PR
  6. Codebuild will pull any hardcoded variables (such as access keys) from AWS secrets manager and pass to the test as environment variables
  7. Codebuild will run the test according to the arguments in the buildspec configuration
  8. Upon completion, the github-codebuild-logs (https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:277187709615:applications~github-codebuild-logs) serverless program will use a Github Access Token to comment the build logs and result on the PR.

Diagram: codebuild-gh-action

This PR adds the Github action that will send the PR details payload to the API gateway endpoint. The stack containing the endpoint is deployed internally.

Testing: This process can be tested in action on the following PR https://github.com/rrrkharse/kubeflow-manifests/pull/5

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

rrrkharse avatar May 11 '22 06:05 rrrkharse

Currently anyone can trigger it. I will make some iterations in which we pass an API key and the github username in the request to the API gateway to prevent unauthorized users from triggering the build. But I wanted to commit this initially to start with as a minimal viable product.

rrrkharse avatar May 11 '22 18:05 rrrkharse

ons in which we pass an API key and the github username in the request to the API gateway to prevent unauthorized users fro

Whats the risk here? Can any malicious user trigger bunch of job on dummy PR ? how are we making sure its prevented?

goswamig avatar May 17 '22 21:05 goswamig

Reopen when ready

surajkota avatar Oct 12 '22 21:10 surajkota